Forgot your password?
typodupeerror
Bug Desktops (Apple) OS X Security Apple

Mac OS X Lion LDAP Vulnerability Emerges 97

Posted by Soulskill
from the mash-keyboard-for-access dept.
hypnosec tips a bit of Apple news from late last week that got overshadowed by the headlines about Steve Jobs. According to El Reg, "People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way into sensitive networks." Initial reports about this bug cropped up less than a week after Lion was released.
This discussion has been archived. No new comments can be posted.

Mac OS X Lion LDAP Vulnerability Emerges

Comments Filter:
  • Re:but... (Score:5, Insightful)

    by dimeglio (456244) on Monday August 29, 2011 @04:16PM (#37245942)

    Well the Mac in this case is the threat and not the vulnerability. So from that perspective, the Mac itself remains secure.

  • Uh.. What? (Score:4, Insightful)

    by synthesizerpatel (1210598) on Monday August 29, 2011 @04:33PM (#37246130)

    I'm not quite sure what the 'bug' here is.. First off, Apple's LDAP is 'OpenLDAP'. So. Is this a flaw in OpenLDAP or Apple's configuration for OpenLDAP?

    Also.. LDAP is kinda like DNS, except most places don't secure it. To see this in action, download Apache LDAP Studio, connect to your friendly local LDAP server and start browsing around (without authentication).. Most times you can get an almost full LDAP dump from a remote server without authenticating at all. Generally the only 'protected' elements are the passwords. You can enumerate users, groups, etc.

The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow

Working...